The future enterprise will be edge-centric, cloud enabled and data driven, said Bill Burnham, CTO, U.S. Public Sector Business Unit, Hewlett Packard Enterprise.
He shared his ideas during an AFCEA online event titled “The Edge Is Where the Action Is!”
The Defense Digital Service (DDS) and HackerOne announced the launch of the DDS’s latest bug bounty program with HackerOne. It is the eleventh such program for DDS and HackerOne and the third with the U.S. Department of the Army.
Hack the Army 3.0 is a security test— time-bound and hacker-powered—aimed at revealing vulnerabilities so they can be resolved before they are exploited by adversaries. The bug bounty program will run from January 6, 2021, through February 17, 2021, and is open to both military and civilian participants.
It is no secret that the U.S. government is grappling with cybersecurity issues across its organizations and agencies. The good news is that the government has an auditing agency that investigates possible weaknesses or cybersecurity gaps and makes key recommendations to rectify problems: the U.S. Government Accountability Office, known as GAO.
Emerging technology, state actors such as Russia and China, and nonstate actors including ISIS, are often quoted as some of the greatest threats to computer and network security. But before the United States can engage with these threats effectively, the war against words must take place.
One place to start is by eliminating the word “cyber” as a descriptor. The term has been used and overused, manipulated and exploited so many times and in so many places, it has become meaningless. What individuals or organizations mean or want when they use it is impossible to say. It’s time to scrap the word altogether and instead specify technical concepts at a more granular level.
Experts have issued fresh warnings to U.S. citizens over the enormous amount of sensitive, personal information being routinely captured and commoditized, and that this same information is being weaponized by the country’s adversaries. A panel at the recent AFCEA TechNet Cyber conference highlighted that data gathering by Facebook, WhatsApp and Google presents a significant risk to both individuals and the nation.
Innovative ideas may hold the key to thwarting cyber adversaries emboldened by opportunities offered in the COVID-19 pandemic. And, the source of these innovative approaches may be diverse personnel who break the mold of conventional cybersecurity professionals.
The Defense Department’s new cybersecurity maturity model certification (CMMC) coincidentally took effect on the first day of TechNet Cyber, AFCEA’s virtual event being held December 1-3. Leading officials with the Defense Department, the Defense Information Systems Agency (DISA) and industry discussed what its implementation will mean to the defense industrial base (DIB) and the community as a whole.
Adversaries are stepping up their efforts to exfiltrate information and weaken the U.S. supply chain through cyberspace. These efforts aim to both wreck the country from within and strengthen the hand of the adversary wielding the digital sword, according to a U.S. government official.
New government security measures are designed with these challenges in mind, and they can help secure targeted small businesses. The Cybersecurity Maturity Model Certification (CMMC), which is rolling out, is designed to help mitigate the effects of adversarial activities in cyberspace.
U.S. data protection and its relationship to national interests are swiftly evolving. One reason this trend will continue, cybersecurity specialists say, is that other nations see cyberspace differently than the United States and other democracies. Rather than incorporating technology into their societies as a tool, they use cybersecurity—both offensively and defensively—to support their different views and overall significantly challenge U.S. interests.
Anyone moving through the ecosystem of software development and cyber over the last few decades has heard cool words to describe it: Waterfall, Cobalt, Agile, DevOps and now DevSecOps.
DevSecOps may be the latest term but the idea behind it remains constant: Security should be a priority from the start.
Automation software tools are being under-utilized, especially in the U.S. Defense Department. While the department has purchased and used automated scanning tools for security and compliance, it has been slow to adopt automation for many other tasks that would benefit from the capability, such as easing software deployment and standardization and, once developed, increasing the speed of overall automation.
While the world was facing the rapid and deadly spread of the severe acute respiratory syndrome coronavirus 2, most commonly known as COVID-19, malicious cyber attackers were also at work, increasing the number of attacks, switching methods, taking advantage of the boom in Internet, network and email users, and playing on fears during the uncertain time, cybersecurity experts say. Companies struggling to maintain operations are still leaving gaps in digital security, they warn.
Many agencies today lack a way to effectively and securely govern access across multicloud environments. Though the use of multiple cloud platforms such as AWS, Azure and Google give agencies the freedom to match the requirements of each use case to the unique strengths of each cloud platform, it also leaves businesses vulnerable to the risks and costs of noncompliance, cyber attacks and human error.
Lack of governance can also stifle productivity and growth—if users can’t get the access they need when they need it, work doesn’t get done. Managing who has access to what and with which privileges is a major challenge in the cloud due to rapid change and its large scale.
Users need to transition all networked computing from the commercial central processing unit addiction to pure dataflow for architecturally safe voting machines, online banking, websites, electric power grids, tactical radios and nuclear bombs. Systems engineering pure dataflow into communications and electronic systems can protect them. The solutions to this challenge are in the users’ hands but are slipping through their fingers. Instead, they should grab the opportunity to zeroize network attack surfaces.
The two-factor authentication schema is often heralded as the silver bullet to safeguard online accounts and the way forward to relegate authentication attacks to the history books. However, news reports of a phishing attack targeting authentication data, defeating the benefits of the protection method, have weakened confidence in the approach. Furthermore, hackers have targeted account recovery systems to reset account settings, yet again mitigating its effectiveness. Facilitating additional layers of security is crucial to bolstering user account protection and privacy today and into the future.
Cybersecurity is now a significant area of focus and concern for senior leaders who have witnessed cyber events that have resulted in significant financial and reputational damage. However, for many organizations, data defense continues to be a technology-focused effort managed by the technical “wizards.” Board of director discussions often zero in on describing the latest cyber threats rather than taking a long-range approach.
But cybersecurity is more than a technical challenge. Enterprise risk management (ERM) is an effective tool to assess risks, including those with cyber origins, but few businesses or agencies use the technique for this purpose, cyber experts assert.
COVID-19 has done more than increase hand-washing and mask-wearing. It has meant an entirely new way of communicating and collaborating. Those on the front lines say some of these changes are here to stay and will last much longer than the pandemic simply because they are more efficient ways to do business.
On both sides of the Atlantic, NATO and European leaders are struggling to address the threat posed to vital space systems by foreign hackers, cyber warfare and online espionage. Huge swathes of the global economy are utterly dependent on orbital capabilities like GPS that look increasingly fragile as space becomes more crowded and contested.
The COVID-19 pandemic brings with it a new set of cyber vulnerabilities built around lifestyle changes throughout society, and these vulnerabilities cry out for new means of cyber resiliency. “It’s quite possible that historians will remember COVID-19 as one of the very important civilizational turning points,” says Alexander Kott, chief scientist of the Army Research Laboratory and Army ST for cyber resilience. “COVID-19 is acting as a forcing function. It forces us to accelerate the transition to a more virtual society than we were before, and it is accelerating the trend that was occurring before COVID-19 but was happening more slowly and less noticeably.”
Enterprise modernization of the Navy's networks and systems is finally underway. Set to impact hundreds of thousands of uniformed and civilian users, it will consolidate many outsourced network service delivery mechanisms across the entire Department of the Navy (DON). The initiative aims to transform how services are delivered, provide a dramatically improved end user experience, and enable critical innovations long needed to accelerate the DON’s mission.
Two Sandia National Laboratories computer scientists are earning national recognition for cybersecurity platforms they developed. Adrian Chavez and Vince Urias will pitch their software to investors, entrepreneurs and prospective customers during the Cybersecurity Technology Virtual Showcase, which runs July 21-30 and is sponsored by the U.S. Department of Energy.
Combined, Chavez and Urias led the creation of four of the technologies to be showcased.
The U.S. Defense Department by the end of the calendar year will release an initial zero trust architecture to improve cybersecurity across the department, says Vice Adm. Nancy Norton, USN, director, Defense Information Systems Agency, and commander, Joint Force Headquarters-Department of Defense Information Network.
Norton’s agency, commonly known as DISA, is working with the National Security Agency, the Department of Defense (DOD) chief information officer and others on what she calls an initial “reference” architecture for zero trust, which essentially ensures every person wanting to use the DOD Information Network, or DODIN, is identified and every device trying to connect is authenticated.
The U.S. Army’s near future will include an increased focus on adopting “zero trust” cybersecurity practices, better protecting its network endpoints and consolidating its plethora of cloud computing contracts, according to Lt. Gen. Bruce Crawford, the Army’s outgoing CIO/G-6. It also will likely include tightening defense budgets.
The general indicated during a keynote address for the Army’s virtual 2020 Signal Conference, which is hosted by AFCEA, that the 2021 fiscal year “is going to be all about driving on priorities.”
The U.S. Air Force is experimenting with a zero trust strategy to provide additional digital protections. Zero trust architecture offers a higher level of cybersecurity, through limited per-session access, continuous monitoring, endpoint security and monitoring of network conversations, explained Col. James Lotspeich, USAF, chief technology officer, Air Combat Command (ACC), Directorate of Cyberspace and Information Dominance (A6).
Col. Lotspeich spoke about the ACC’s zero trust architecture efforts during AFCEA Tidewater’s July 2 virtual luncheon.
At 61 years old, the common business-oriented language is the same age as many college kids’ parents. The coding language had its own exhibit in the Smithsonian National Museum of American History in 2013. Many in the industry now call it a “legacy language,” but its continued, widespread use tells a different story.
In the past two years, hackers have increasingly targeted Internet of Things devices to breach cybersecurity defenses. Because these devices are frequently not patched when software flaws are found, they represent a soft target for attackers. In 2017, 15 percent of all successful attacks exploited one of these device’s beachheads. By 2019, that number increased to 26 percent of all incidents with growth expected to continue, according to a recent analysis performed by Ponemon Institute.
With the 2020 election fast approaching and tensions with Iran continually shifting, many people are looking to U.S. Cyber Command to help ensure cybersecurity. The command faces an uphill battle because the current construct allows each service branch to retain tactical command of its organic cyber experts. To be more successful in the cyberspace domain, the command needs to take over tasking authority for all cyber-related units, establish a standardized joint cyber schoolhouse and establish a Joint Cyber Operations Command to perform joint, effects-driven cyber operations.
ASIRTek Federal Services LLC, San Antonio, Texas, has been awarded a $78,000,000 firm-fixed-price contract for information security support services. This contract provides for proactive support of the foundational pillars of this requirement, which are cybersecurity improvement initiatives and cybersecurity support. Work will be performed at Joint Base San Antonio-Lackland, Texas. Additional on-site support locations may include Joint Base Langley-Eustis, Virginia; Robins Air Force Base, Georgia; Tyndall AFB, Florida; Randolph AFB, Texas; and Davis-Monthan AFB, Arizona. Work is expected to be completed June 28, 2025. This award is the result of a competitive acquisition with 24 offers received.
ICF Inc. LLC, Fairfax, Virginia, was awarded a $13,444,607 modification (P00036) to contract W911QX-17-C-0018 to extend mission critical defense cyber operation services provided by ICF. Work will be performed in Adelphi, Columbia, Fort Meade, and Aberdeen Proving Ground, Maryland; Fort Belvoir, Virginia; San Antonio, Texas; and Colorado Springs, Colorado, with an estimated completion date of December 15, 2020. Fiscal year 2020 research, development, test and evaluation, Army funds in the amount of $13,444,607 were obligated at the time of the award. U.S. Army Contracting Command, Aberdeen Proving Ground, Maryland, is the contracting activity.
The efficiencies of using and embedding open source software (OSS) carry many risks. In the advent of free repositories and millions of open source projects, the notion of any reasonable centralized authentication about the origin or any assurance as to correctness is virtually impossible. As a result, users should cultivate trust relationships with a few suppliers and keep them up to date.
Information technology modernization has reached a precipice within the federal government as agencies struggle to manage many moving parts and jockey for the same pot of money and talent. Add to the fray the results of a new survey showing an alarming reliance by federal agencies on outdated information technology systems.
The Space Force has announced that the planned satellite hacking challenge known as Space Security Challenge 2020: Hack-A-Sat would proceed as planned, but in a virtual format due to the pandemic. The Department of the Air Force and the Defense Digital Service's (DDS's) event includes an online qualification event May 22-24, followed by a final August 7-9. During the final, participants will attempt to reverse-engineer representative ground-based and on-orbit satellite system components to overcome planted “flags” or software code.
The coronavirus is not stopping the U.S. Defense Department from proceeding with work on the Cybersecurity Maturity Model Certification (CMMC), and it shouldn’t slow down industry in doing the same. Although some of the public hearings that should have taken place by now have been delayed because of the pandemic, the CMMC team continues to train and get the word out about rules changes.
ForAllSecure, a NEA portfolio company, announced that is will provide the Defense Department with a next-generation fuzzing solution under a $45 million contract with the Defense Innovation Unit. The company's software security product, known as Mayhem, will be used by several DOD entitieservices branches, including: the Air Force 96th Cyberspace Test Group, the Air Force 90th Cyberspace Operations Squadron, the Naval Sea Systems Command and the U.S. Army Command, Control, Communication, Computers, Cyber, Intelligence, Surveillance and Reconnaissance Center, according to the company. The product, which automatically finds software vulnerabilities, is a patented next-generation solution developed at Carnegie Mellon University.
NATO is doubling down on cyberspace defense with increased partnerships and new technology thrusts. Information exchanges on threats and solutions, coupled with research into exotic capabilities such as artificial intelligence, are part of alliance efforts to secure its own networks and aid allies in the cybersecurity fight.
The threats the alliance networks face constitute relatively the same ones confronting other organizations. NATO faces the double challenge of securing its own networks and information assets, as well as helping its member nations improve their own national cyber resilience.
Amid growing fears that U.S. military reliance on civilian space infrastructure might prove a weak point, two organizations are seeking to improve cybersecurity in the burgeoning satellite industry. The Orbital Security Alliance has published a detailed set of cybersecurity guidelines for commercial satellite operators, which aims specifically at smaller, newer companies in the fast-growing “minisat” sector.
The success of the new Cybersecurity Maturity Model Certification (CMMC) will hinge largely on diverse types of contractors sharing information and following security standards, said a panel of experts exploring CMMC ramifications. Speaking at AFCEA’s Virtual CMMC Symposium, the government officials emphasized that the CMMC will be both an opportunity and an obligation to the defense community
Digital structures are needed to protect government information and operations. A group participating in a National Institute of Standards of Technology challenge is offering a secure cloud-based platform that can improve the digital and actual health of a city and protect its information.
As cloud computing gains greater numbers of adherents, their increasing demands are straining security measures designed to guard operations. This problem is going to worsen dramatically when applications such as artificial intelligence development assume a significant presence in the cloud.
Yet those same complications offer opportunities. The new types of security that will need to be applied to the cloud can be used for other forms of cyberspace operations. Solutions to the difficulties of cloud security could help protect data elsewhere commensurate with the enhanced role played by the cloud.
Companies should not be intimidated by the multitiered Cybersecurity Maturity Model Certification (CMMC), says a panel of experts. The new system is geared for companies to approach it methodically as they learn more about its implementation and requirements.
In a remote session hosted by AFCEA’s Virtual CMMC Symposium, the panelists encouraged companies to proceed through its steps and seek advice from others, particularly prime contractors. Janey Nodeen, president, Burke Consortium Inc., said, “There is a path to success. It’s not as hard as you think, and at the end of the day it’s very, very valuable to your company.
“It is very much a crawl-walk-run approach, and don’t overthink it,” she added.
Ensuring the sanctity of defense information goes beyond keeping secrets from the enemy: it also brings to light vulnerabilities in the supply chain. One of the key tenets of the Cybersecurity Maturity Model Certification (CMMC) is to guarantee the sanctity of the supply chain in a time when data is particularly in peril.
A keynote fireside discussion group at AFCEA’s Virtual CMMC Symposium looked at the threats posed to the supply chain in light of the COVID-19 coronavirus pandemic. Bob Kolasky, director, National Risk Management Center, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, provided a powerful presentation in which he pulled no punches about the threat.
“The time is now” for companies to begin implementation of Cybersecurity Maturity Model Certification (CMMC) measures, said the chief information security officer for defense acquisition. Katie Arrington, speaking at AFCEA’s Virtual CMMC Symposium, told participants that many CMMC tenets constitute good practices that can—and should—be implemented even before the CMMC is formalized.
“Let’s not wait until it’s required; let’s do it now,” Arrington said. “The time is now.” She added that the country loses $600 billion a year to adversaries, and practicing basic cyber hygiene methods that will be part of CMMC level 1 standards will help companies immensely.
A joint advisory published today by the U.K.’s National Cyber Security Centre (NCSC) and U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) shows that a growing number of cyber criminals are exploiting the COVID-19 outbreak for their own personal gain.
Managing an enterprise cybersecurity and information assurance program in any company today is a complex balancing act. It resembles an unending three-dimensional chess match entwining business risk, profit and loss, pitting a company’s very survival against myriad global threat actors. An organization’s cybersecurity stance also involves a combination of technology and solid decision making at an organization’s highest levels.
Security is among the single greatest concern government agencies have about moving their systems to the cloud. Although it offers significant benefits, cloud computing continues to raise questions about data and system protection. Regardless, the Office of Management and Budget via its Cloud Smart Strategy and the previous Cloud First policy mandates government agencies move to the cloud.
The Secure 5G and Beyond Act, the Promoting United States Wireless Leadership Act and the Prague Proposals have topped the headlines in recent months. All three are focused on security.
The bipartisan Cyberspace Solarium Commission today issued a call to action on cybersecurity. The commission issued a report sounding the alarm on the nation’s lack of security in cyberspace.
“The reality is that we are dangerously insecure in cyber. Your entire life—your paycheck, your health care, your electricity—increasingly relies on networks of digital devices that store, process and analyze data. These networks are vulnerable, if not already compromised,” Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wisconsin), co-chairs of the commission, write in a letter introducing the report.
The much-hyped 5G has begun to arrive, but in the United States, the truly transformative elements of these next-generation cellular networks are probably still four or five years off. Although improvements such as 100-times-faster speeds will enable more life-and-death type services, including remote surgery or self-driving cars, they also employ a more compromised hardware supply chain and offer a larger attack surface than current networks, federal officials warn.
“The anxiety from governments and regulators about the security issues [arising from 5G] and possible nation-state interference is at a fever pitch right now,” Robert Mayer, senior vice president for cybersecurity, USTelecom, says.
The United States is woefully underprepared to protect cyberspace against the worst-case scenarios threatening the country, says the former supreme allied commander of NATO. Adm. James Stavridis, USN (Ret.), operating executive for the Carlyle Group, warns that long-term solutions must be paired with near-term actions to prevent a host of cyber threats from crippling the United States militarily and economically.
Technica Corp. of Sterling, Virginia, has been awarded a $13,591,345 cost-plus-fixed-fee modification to exercise the first option period, February 15, 2020, through February 14, 2021. The contract provides weapon system engineering and maintenance services to include incremental software version development and installation, security patch installations, preventative maintenance, trouble shooting and responsive Tier 1, 2 and 3 support for the Cyberspace Vulnerability Assessment/Hunter (CVA/H) weapon system. Work will be performed in Sterling, Virginia, and is expected to be complete by August 14, 2025. The award is the result of a competitive acquisition.
